A Look Back at the Target Breach

04/06/2015 10:30 am ETUpdated
Jun 06, 2015

If the Ghosts of Crisis Management Past were product defects, recalls and industrial accidents, today's biggest damage control goblin is the data breach. It's easy to pontificate about how to properly manage the fallout from cyber attacks, but a lot harder to actually do it, as Target has learned since its landmark Christmas 2013 uber-breach.

Target's damage control has been effective, by and large, but costly, which is fair warning to the many other enterprises that have and will face similar challenges.

The Breach

Between Thanksgiving and Christmas 2013, criminal hackers potentially gained access to some 40 million Target customer credit cards. More than 100 million people could have been affected and as many as 60 million may have had personal information accessed.

In the age of the hyper-niche (versus journalistic generalists), it was a security blogger that first broke the news along with allegations that Target was hiding the bad news from vulnerable customers after Target executives reported the breach to the Department of Justice and the company discreetly hired a forensic investigator. The quiet approach in this case didn't work.

Predictably, news stories said that Target had failed to act on warning signs that a major breach was imminent. According to Target, few serious instances of fraud have been reported, but customers panicked when they realized that some cards may have been sold on the black market. Target's profits dropped almost 50 percent from the same time the previous year while angry customers lashed out at the company's customer service hotline's perpetual busy signal.

Target's Response

From the outside, it seemed as if Target had been caught flat-footed. However, the trope of the hobbled giant is inevitable because of what I call in my book, GLASS JAW, the "Fiasco Vortex." A Fiasco Vortex occurs when a combination of new and old media metastasizes into a self-feeding system of toxic attention beyond the reach of human treatments. In the Fiasco Vortex, every crisis is deemed to have been mishandled and the negative attention given to the crisis further paralyzes a company's capacity to quell the storm due to endless waves of second-guessers in multiple media such as Facebook, which lit up attacking Target's customer service.

Nevertheless, once the breach became known, the company took a series of decisive actions. Target announced a 10 percent discount the weekend before Christmas and offered free credit monitoring for one year for affected customers.

In the following months, Target overhauled its security systems to identify internal and external risks to shoppers' personal info, along with additional training for employees on how to better keep customers' information safe. The company also announced it would spend $100 million for more advanced registers and other technology to process new, safer cards.

As often happens when a vortex finally slows, Target's CEO and CIO resigned a few months after the attack.

Where Things Stand

Target's share price dipped from $62 before the crisis to $56 one month later. At this writing, Target's share price is now at around $82. Fourth quarter 2014 comparable sales were up nearly 4 percent. The company remains in litigation with the major credit card companies and still faces potential penalties from the Securities and Exchange Commission and the Federal Trade Commission.

To be sure, Target faces strategic challenges such as competition from online retailers, which they would independent of the 2013 holiday breach.

Lessons Learned So Far

Crisis management is not about making ugly things look good, it's about making things less bad so you can get back to business. Target appears to have accomplished many of the things it needed to in order to return to form.

Having spent a career navigating some of the worst corporate crises imaginable, I have a visceral distaste for commentary from the cheap seats that declare every crisis to have been botched, leveraging the cliché that an organization knew -- or should have known -- about a problem but did nothing anyway. Such judgments are easy to make in retrospect, but a few guideposts are worth considering:

1. Target's recovery has been due to tangible management and operational actions, not slick public relations maneuvers.
2. Crisis management is expensive. Target estimates it has already paid $252 million to manage the breach (an estimated $90 million offset by insurance). Target also recently set aside a $10 million pot in escrow for customers who can prove their accounts were seriously compromised.
3. Expert bloggers can break a damaging story whereas once it required major media to do it. In Target's case former Washington Post reporter Brian Krebs published the first story about the breach on his blog KrebsonSecurity. Experts such as Krebs pay closer attention to stories that larger news organizations may miss (or find uninteresting) and also have access to unique and seemingly obscure sources.
4. It's harder to hide problems than it was before the internet. While waiting until a problem has been fully investigated before going public remains a legitimate strategy, the internet may not be so patient. Calls for immediate disclosure are often unrealistic, but news leaks are now the rule not the exception, so prepare accordingly.
5. The dividends of crisis management take time to pay off. While new and old media demand immediate miracles, companies expecting to swiftly stop the Fiasco Vortex will be disappointed. Good companies can survive the Vortex, just not very quickly.

Ultimately, the best public relations for a company like Target will be to not have another breach and to perform well. But a company can only get there by recognizing that crisis management is more about what you do than what you say.